httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Southwell <da...@cyberc.demon.co.uk>
Subject Re: Fwd: 1.3.1 missing pgp signature
Date Sun, 26 Jul 1998 09:20:34 GMT
On Sat, 25 Jul 1998, Rodent of Unusual Size wrote:

> David Southwell wrote:
> > 
> > Going back to basics can someone spell out for me and other
> > comparative newcomers:

> > 1. what benefits are gained by using the key.
> > 2. why it is always essential to  use it
> 
> The answers to these are the same.  By having a trusted person
> sign a release, and have both the signature and the signer's
> public key available online in a secure location, someone who
> downloads the tarball - regardless of from where - can check the
> signature against what it's supposed to be and be assured that
> what he's gotten is what the signer approved.
> 
Clear enough answer to Question 1

But it doesnt seem to satisfactorily answer Question 2 - 

KEY QUESTIONS! (no pun intended!) ;-)
1. How many people actually use it?

2. Can we be convinced it is really essential?

3. Does someone who fails to PGP sign really deserve being pilloried? 

4. Did the introduction of the process come about due to a significant bad
experience or was it introduced as a "generally good idea"?

5. Do we really have anything to fear from dropping the practice? 

OBSERVATIONS!
>From what I have heard so far it does seem to sound like an almost
entirely unused sledge hammer kept around to crack hypothetical nuts!!

Coming to this without the experience on this list that you guys all
have means I say this in knowledge that I may be missing an essential 
something. 

However from what has been said so far it seems that people who are likely
to be in the position to doubt the validity of a tarball are few are far
between. They are also more likely to ask here than go through the hassle
of checking it out using PGP! 

On the one hand a low expectations of downloader capabilities is
demonstrated by not keeping old releases around (apparently for fear that
people are not able to distinquish between releases that are and are not
currently supported) ; on the other hand there is an implied perception
that PGP signing is essential from which one deduces an appropriate level
of competence! 

Subject to there being some other unexplained factors these two
perceptions are, on the face of it, mutually incompatible.

Sounds to me more like something that is required very rarely between
consenting adults!

david S


David Southwell
Chairman      
CyberCity Ltd            (European agents for CyberCity Inc. BVI)
+44 117 955 8225            CyberCity Technology in Europe
BCDP Technology ++Beyond the Corporate Doorway Processing Solutions++


Mime
View raw message